SCADA mobile app security is getting worse

The security of mobile apps that tie in with Supervisory Control and Data Acquisition (SCADA) systems has deteriorated over the last two-and-a-half years, according to new research.

A team of boffins from IOActive and IoT security startup Embedi said they had discovered 147 vulnerabilities in 34 of the most popular Android mobile apps for SCADA systems.

Mobile applications are increasingly being used in conjunction with SCADA systems. The researchers warned these apps are "riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems".

How mobile apps fit into modern industrial control system architectures [source: IOActive white paper]

Code-tampering vulns found in 94% of sampled apps

The 34 Android applications tested were randomly selected from the Google Play Store.

The research focused on testing software and hardware, using backend fuzzing and reverse engineering. The team successfully uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code-tampering risks.

The research revealed the top five security weaknesses were: code tampering (94 per cent of apps), insecure authorisation (59 per cent of apps), reverse engineering (53 per cent of apps), insecure data storage (47 per cent of apps) and insecure communication (38 per cent of apps).

The same team of researchers found 50 vulnerabilities across 20 Android apps in 2015. The rise to 147 vulnerabilities in 34 apps therefore represents an average increase of 1.6 vulnerabilities per app.

Technical details of the research will be released by Alexander Bolshev, IOActive security consultant, and Ivan Yushkevich, information security auditor for Embedi, in a new paper "SCADA and Mobile Security in the Internet of Things Era".

Bolshev explained: “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS [Industrial Control Systems] control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware.

“What this results in is attackers using mobile apps to attack other apps,” he added.

Yushkevich added: “Developers need to keep in mind that applications like these are basically gateways to mission-critical ICS systems. It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”

Yushkevich said the team tested only Google Play apps in order that it could "compare the results of this research with those of the previous research in 2015".

He said of the threats that could occur as a result of these vulnerabilities: “Some of the revealed vulnerabilities are the client-side ones. For example, SQL injections may be used to disrupt the operation of a device.

“To exploit most of the described vulnerabilities, a hacker has to simply intercept traffic and get to the same network segment a victim is in. So, the SQL injection vulnerability is an exception here.”

IOActive and Embedi have informed the impacted vendors of the findings and are coordinating with a number of them to ensure fixes are in place. ®